# Install nss with Homebrew, apk, apt, dnf, MacPorts, Nix, pacman, zypper

Libraries for security-enabled client and server applications. Version 3.125 via Homebrew; verified 2026-06-25.

## Install

```sh
sudo av install brew:nss
```

Additional install commands:

### macOS

- Homebrew (100%):

```sh
brew install nss
```

  Evidence: local Homebrew formula metadata

- MacPorts (94%):

```sh
sudo port install nss
```

  Evidence: MacPorts ports tree: net/nss/Portfile from https://api.github.com/repos/macports/macports-ports/git/trees/master?recursive=1

### Linux

- apk (92%):

```sh
sudo apk add nss
```

  Evidence: Alpine Linux edge package indexes: nss from https://dl-cdn.alpinelinux.org/alpine/edge/main/x86_64/APKINDEX.tar.gz

- Debian apt (92%):

```sh
sudo apt install libnss3
```

  Evidence: Debian stable package indexes: libnss3 from https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz

- dnf (92%):

```sh
sudo dnf install nspr
```

  Evidence: Fedora Rawhide package metadata: nspr from https://dl.fedoraproject.org/pub/fedora/linux/development/rawhide/Everything/x86_64/os/repodata/e5ca8ce900cd68f5419e1c39ae517343100b306336cbaeb70a3c153121d95094-primary.xml.zst

- Nix (92%):

```sh
nix profile install nixpkgs#nss
```

  Evidence: nixpkgs package indexes: nss from https://raw.githubusercontent.com/NixOS/nixpkgs/master/pkgs/top-level/all-packages.nix

- pacman (92%):

```sh
sudo pacman -S nss
```

  Evidence: Arch Linux sync databases: nss from https://geo.mirror.pkgbuild.com/core/os/x86_64/core.db.tar.gz

- zypper (92%):

```sh
sudo zypper install mozilla-nss
```

  Evidence: openSUSE Tumbleweed package metadata: mozilla-nss from https://download.opensuse.org/tumbleweed/repo/oss/repodata/be8d3611d25469107f32075a1697e69ec57a2b850b42348a658cc671ad5ec2b50760d02c3e59524d50da9a11d5be799bdaffba2e166e8ca8858512e3c0bd665d-primary.xml.zst

## Package facts

- **Package key:** brew:nss
- **Package manager:** Homebrew
- **Package manager page:** <https://formulae.brew.sh/formula/nss>
- **Version:** 3.125
- **Source summary:** Libraries for security-enabled client and server applications
- **Homepage:** <https://firefox-source-docs.mozilla.org/security/nss/index.html>
- **Repository:** <https://hg.mozilla.org/projects/nss>
- **Upstream docs:** <https://firefox-source-docs.mozilla.org/security/nss/build.html>
- **License:** MPL-2.0
- **Source archive:** <https://ftp.mozilla.org/pub/security/nss/releases/NSS_3_125_RTM/src/nss-3.125.tar.gz>
- **Last updated:** 2026-06-25T13:37:57+02:00
- **Generated:** 2026-07-08T07:18:31+00:00

## Executables

- addbuiltin (cli)
- atob (cli)
- baddbdir (cli)
- bltest (cli)
- btoa (cli)
- certutil (cli)
- chktest (cli)
- cmsutil (cli)
- crlutil (cli)
- dbtest (cli)
- dbtool (cli)
- derdump (cli)
- dertimetest (cli)
- digest (cli)
- ecperf (cli)
- encodeinttest (cli)
- fbectest (cli)
- fipstest (cli)
- httpserv (cli)
- listsuites (cli)
- lowhashtest (cli)
- makepqg (cli)
- modutil (cli)
- multinit (cli)
- nonspr10 (cli)
- nss-config (cli)
- nss-policy-check (cli)
- nssdefaults (cli)
- ocspclnt (cli)
- ocspresp (cli)
- oidcalc (cli)
- p7content (cli)
- p7env (cli)
- p7sign (cli)
- p7verify (cli)
- pk11ectest (cli)
- pk11gcmtest (cli)
- pk11importtest (cli)
- pk11mode (cli)
- pk12util (cli)
- pk1sign (cli)
- pkix-errcodes (cli)
- pp (cli)
- pwdecrypt (cli)
- remtest (cli)
- rsaperf (cli)
- rsapoptst (cli)
- sdbthreadtst (cli)
- sdrtest (cli)
- secmodtest (cli)
- selfserv (cli)
- shlibsign (cli)
- signtool (cli)
- signver (cli)
- ssltap (cli)
- strsclnt (cli)
- symkeyutil (cli)
- tstclnt (cli)
- validation (cli)
- vfychain (cli)
- vfyserv (cli)
- addbuiltin (alias)
- atob (alias)
- baddbdir (alias)
- bltest (alias)
- btoa (alias)
- certutil (alias)
- chktest (alias)
- cmsutil (alias)
- crlutil (alias)
- dbtest (alias)
- dbtool (alias)
- derdump (alias)
- dertimetest (alias)
- digest (alias)
- ecperf (alias)
- encodeinttest (alias)
- fbectest (alias)
- fipstest (alias)
- httpserv (alias)
- listsuites (alias)
- lowhashtest (alias)
- makepqg (alias)
- modutil (alias)
- multinit (alias)
- nonspr10 (alias)
- nss-config (alias)
- nss-policy-check (alias)
- nssdefaults (alias)
- ocspclnt (alias)
- ocspresp (alias)
- oidcalc (alias)
- p7content (alias)
- p7env (alias)
- p7sign (alias)
- p7verify (alias)
- pk11ectest (alias)
- pk11gcmtest (alias)
- pk11importtest (alias)
- pk11mode (alias)
- pk12util (alias)
- pk1sign (alias)
- pkix-errcodes (alias)
- pp (alias)
- pwdecrypt (alias)
- remtest (alias)
- rsaperf (alias)
- rsapoptst (alias)
- sdbthreadtst (alias)
- sdrtest (alias)
- secmodtest (alias)
- selfserv (alias)
- shlibsign (alias)
- signtool (alias)
- signver (alias)
- ssltap (alias)
- strsclnt (alias)
- symkeyutil (alias)
- tstclnt (alias)
- validation (alias)
- vfychain (alias)
- vfyserv (alias)

## Dependencies

- nspr

## Uses from macOS

- sqlite

## Install behavior

- Post-install hook: not defined
- Bottle: available on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux

## Freshness

- Page generated: 2026-07-08
- Package-manager version: 3.125
- Package-manager updated: 2026-06-25
- Local data: ok
- Upstream repository: https://firefox-source-docs.mozilla.org/security/nss/index.html
- info: Release/tag comparison is only available for GitHub repositories.
## Project history and usage

NSS, Network Security Services, is Mozilla's C library set for TLS, PKI, S/MIME, X.509 certificates, PKCS standards, and related crypto/security tasks. It descends from Netscape's browser and server security code and remains a major non-OpenSSL security stack.

### Project history

Mozilla's archived NSS history says the code began as the base security code in the original Netscape Navigator products: Navigator 1.0 supported SSL 2.0, Navigator 2.0 added SSL 3.0 and server-side private-key support, Navigator 3.0 added client authentication, and Communicator 4.0 broke much of the security code into its own NSPR-dependent component.

After Communicator 4.0, the security code began shipping independently. The archived history describes HCL as the first independently buildable security-code line, with NSS 2.0 as the first release fully tested and made available outside Netscape. Firefox Source Docs describes the modern NSS package as MPL-2.0 libraries for security-enabled client and server applications.

### Adoption history

NSS's adoption comes from browsers, mail clients, PKI tooling, and platforms that value its PKCS #11 model and Mozilla root store integration. Mozilla docs say it is used by Mozilla and other companies in Firefox, AOL Instant Messenger, Red Hat server products, and other products; Ubuntu documentation describes it as originally developed by Netscape, inherited by Mozilla, and used mainly in Firefox and Thunderbird on Ubuntu.

On July 1, 2026, Homebrew listed NSS 3.125 with 486,543 installs in its 365-day analytics window and 105,895 installs on request. Unlike NSPR, NSS is both a dependency and a directly requested toolkit because it ships command-line utilities such as `certutil`, `pk12util`, `modutil`, `vfychain`, and `tstclnt`.

### How it is used

Developers use NSS when they need Mozilla-compatible TLS/PKI behavior, PKCS #11 modules, certificate/key databases, S/MIME/CMS processing, or command-line certificate database management. The practical package-nerd workflow is often `certutil -d sql:...`, `pk12util`, `modutil`, and `nss-config`, especially when dealing with software that uses NSS databases rather than PEM files directly.

NSS depends on NSPR for cross-platform I/O and threading. Its architecture includes FreeBL, Softoken, CKBI built-in root certificates, certificate/key databases, and SSL/TLS and S/MIME modules, which is why it feels like a complete PKI stack rather than a small crypto primitive library.

### Why package nerds care

NSS is significant because it is the Mozilla security stack: a browser-grade TLS/PKI implementation with command-line tools and a different trust/key storage model from OpenSSL. Packaging it correctly matters for browsers, certificate management, and any software linked against Mozilla's crypto libraries.

### Timeline

- Navigator 1.0 era: Netscape security code supported SSL 2.0.
- Navigator 2.0 era: SSL 3.0 and server-side private-key support entered the codebase.
- Communicator 4.0 era: security code was partly split into its own NSPR-dependent component.
- NSS 2.0 era: the code became fully tested and available outside Netscape.
- July 1, 2026: Homebrew listed NSS 3.125.

### Related projects

- NSPR provides the portability layer used by NSS.
- Firefox, Thunderbird, and other Mozilla-family software are major NSS consumers.

### Sources

- <https://firefox-source-docs.mozilla.org/security/nss/index.html>
- <https://formulae.brew.sh/formula/nss>
- <https://nss-crypto.org/reference/security/nss/legacy/an_overview_of_nss_internals/index.html>
- <https://nss-crypto.org/reference/security/nss/legacy/faq/index.html>
- <https://nss-crypto.org/reference/security/nss/legacy/overview/index.html>
- <https://ubuntu.com/server/docs/explanation/crypto/network-security-services-nss/>
- <https://www-archive.mozilla.org/projects/security/pki/nss/history>


## Security Notes

No matching local secret-handling manifest was found for nss. Nucleus package metadata is still published here so future coverage has a stable package URL.


## Source Database Details

- **Source Database:** Homebrew formula API
- **Tap:** homebrew/core
- **Full Name:** nss
- **Version Scheme:** 0
- **Revision:** 0
- **Conflicts With:** arabica, resty
- **Bottle Stable Root URL:** <https://ghcr.io/v2/homebrew/core>
- **Deprecated:** no
- **Disabled:** no
- **Keg Only:** no
- **URL Keys:** stable

## Other Package-Manager Records

- Debian apt - libnss3 - 2:3.110-1+deb13u1: normalized package name match | Debian stable package indexes: libnss3 from https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz | Network Security Service libraries | https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS
- Debian apt - libnss3-dev - 2:3.110-1+deb13u1: normalized package name match | Debian stable package indexes: libnss3-dev from https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz | Development files for the Network Security Service libraries | https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS
- Debian apt - libnss3-tools - 2:3.110-1+deb13u1: normalized package name match | Debian stable package indexes: libnss3-tools from https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz | Network Security Service tools | http://www.mozilla.org/projects/security/pki/nss/tools/
- Nix - nss: normalized package name match | nixpkgs package indexes: nss from https://raw.githubusercontent.com/NixOS/nixpkgs/master/pkgs/top-level/all-packages.nix
- Ubuntu apt - libnss3 - 2:3.98-1build1: normalized package name match | Ubuntu 24.04 LTS package indexes: libnss3 from https://archive.ubuntu.com/ubuntu/dists/noble/main/binary-amd64/Packages.gz | Network Security Service libraries | https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS
- Ubuntu apt - libnss3-dev - 2:3.98-1build1: normalized package name match | Ubuntu 24.04 LTS package indexes: libnss3-dev from https://archive.ubuntu.com/ubuntu/dists/noble/main/binary-amd64/Packages.gz | Development files for the Network Security Service libraries | https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS
- Ubuntu apt - libnss3-tools - 2:3.98-1build1: normalized package name match | Ubuntu 24.04 LTS package indexes: libnss3-tools from https://archive.ubuntu.com/ubuntu/dists/noble/main/binary-amd64/Packages.gz | Network Security Service tools | http://www.mozilla.org/projects/security/pki/nss/tools/
- apk - nss - 3.124-r0: normalized package name match | Alpine Linux edge package indexes: nss from https://dl-cdn.alpinelinux.org/alpine/edge/main/x86_64/APKINDEX.tar.gz | Mozilla Network Security Services | https://developer.mozilla.org/docs/Mozilla/Projects/NSS
- apk - nss-dev - 3.124-r0: normalized package name match | Alpine Linux edge package indexes: nss-dev from https://dl-cdn.alpinelinux.org/alpine/edge/main/x86_64/APKINDEX.tar.gz | Development files for nss | https://developer.mozilla.org/docs/Mozilla/Projects/NSS
- apk - nss-tools - 3.124-r0: normalized package name match | Alpine Linux edge package indexes: nss-tools from https://dl-cdn.alpinelinux.org/alpine/edge/main/x86_64/APKINDEX.tar.gz | Tools for the Network Security Services | https://developer.mozilla.org/docs/Mozilla/Projects/NSS
- dnf - nspr - 4.39-1.fc45: normalized package name match | Fedora Rawhide package metadata: nspr from https://dl.fedoraproject.org/pub/fedora/linux/development/rawhide/Everything/x86_64/os/repodata/e5ca8ce900cd68f5419e1c39ae517343100b306336cbaeb70a3c153121d95094-primary.xml.zst | Netscape Portable Runtime | http://www.mozilla.org/projects/nspr/
- dnf - nspr-devel - 4.39-1.fc45: normalized package name match | Fedora Rawhide package metadata: nspr-devel from https://dl.fedoraproject.org/pub/fedora/linux/development/rawhide/Everything/x86_64/os/repodata/e5ca8ce900cd68f5419e1c39ae517343100b306336cbaeb70a3c153121d95094-primary.xml.zst | Development libraries for the Netscape Portable Runtime | http://www.mozilla.org/projects/security/pki/nss/
- dnf - nss - 3.124.0-1.fc45: normalized package name match | Fedora Rawhide package metadata: nss from https://dl.fedoraproject.org/pub/fedora/linux/development/rawhide/Everything/x86_64/os/repodata/e5ca8ce900cd68f5419e1c39ae517343100b306336cbaeb70a3c153121d95094-primary.xml.zst | Network Security Services | http://www.mozilla.org/projects/security/pki/nss/
- dnf - nss-devel - 3.124.0-1.fc45: normalized package name match | Fedora Rawhide package metadata: nss-devel from https://dl.fedoraproject.org/pub/fedora/linux/development/rawhide/Everything/x86_64/os/repodata/e5ca8ce900cd68f5419e1c39ae517343100b306336cbaeb70a3c153121d95094-primary.xml.zst | Development libraries for Network Security Services | http://www.mozilla.org/projects/security/pki/nss/
- dnf - nss-pkcs11-devel - 3.124.0-1.fc45: normalized package name match | Fedora Rawhide package metadata: nss-pkcs11-devel from https://dl.fedoraproject.org/pub/fedora/linux/development/rawhide/Everything/x86_64/os/repodata/e5ca8ce900cd68f5419e1c39ae517343100b306336cbaeb70a3c153121d95094-primary.xml.zst | Development libraries for PKCS #11 (Cryptoki) using NSS | http://www.mozilla.org/projects/security/pki/nss/
- dnf - nss-softokn - 3.124.0-1.fc45: normalized package name match | Fedora Rawhide package metadata: nss-softokn from https://dl.fedoraproject.org/pub/fedora/linux/development/rawhide/Everything/x86_64/os/repodata/e5ca8ce900cd68f5419e1c39ae517343100b306336cbaeb70a3c153121d95094-primary.xml.zst | Network Security Services Softoken Module | http://www.mozilla.org/projects/security/pki/nss/


## Related links

- [Terminal utility packages](https://www.automicvault.com/pkg/terminal-utilities/) - Matched terminal and command-line workflow metadata.
- [Networking and protocol packages](https://www.automicvault.com/pkg/networking-protocol-tools/) - Matched network, protocol, or remote-service metadata.
- [Security and crypto packages](https://www.automicvault.com/pkg/security-crypto-tools/) - Matched security, identity, cryptography, password, signing, or certificate metadata.
- [Documentation packages](https://www.automicvault.com/pkg/documentation-tools/) - Matched documentation, manual, or publishing metadata.
- [nspr](https://www.automicvault.com/pkg/brew/nspr/) - Runtime dependency declared by Homebrew.
- [poppler](https://www.automicvault.com/pkg/brew/poppler/) - Popular package that depends on this formula.
- [qca](https://www.automicvault.com/pkg/brew/qca/) - Popular package that depends on this formula.
- [redwax-tool](https://www.automicvault.com/pkg/brew/redwax-tool/) - Popular package that depends on this formula.
- [gnutls](https://www.automicvault.com/pkg/brew/gnutls/) - Shares av.db curated category or tags: cli, cryptography, security, tls.
- [libressl](https://www.automicvault.com/pkg/brew/libressl/) - Shares av.db curated category or tags: cli, cryptography, security, tls.
- [wolfssl](https://www.automicvault.com/pkg/brew/wolfssl/) - Shares av.db curated category or tags: cli, cryptography, security, tls.
- [botan](https://www.automicvault.com/pkg/brew/botan/) - Shares av.db curated category or tags: cli, cryptography, security, tls.
- [cfssl](https://www.automicvault.com/pkg/brew/cfssl/) - Shares av.db curated category or tags: cli, cryptography, pki, security, tls.
- [gmssl](https://www.automicvault.com/pkg/brew/gmssl/) - Shares av.db curated category or tags: cli, cryptography, security, tls.
- [mbedtls](https://www.automicvault.com/pkg/brew/mbedtls/) - Shares av.db curated category or tags: cli, cryptography, security, tls.
- [nettle](https://www.automicvault.com/pkg/brew/nettle/) - Shares av.db curated category or tags: cli, cryptography, security.

## Combined YAML source

View the package source record on GitHub. [combined/nss.yml](https://github.com/automic-vault/db/blob/main/combined/nss.yml)


## Sources

- Nucleus package database
- Geiger risk classifier
- package-page enrichment
- curated package history
- package version freshness
- av.db category and tag curation
- package relationship graph
- external package-manager database matches
- cross-ecosystem install command graph
